Andrew Findlay created DIRSTUDIO-971:
----------------------------------------
Summary: connections.xml should not be globally-readable
Key: DIRSTUDIO-971
URL: https://issues.apache.org/jira/browse/DIRSTUDIO-971
Project: Directory Studio
Issue Type: Bug
Components: studio-connection
Affects Versions: 2.0.0-M8 (2.0.0.v20130628)
Environment: Linux
Reporter: Andrew Findlay
Connection parameters are stored in the file connections.xml
This can include bind DNs and passwords, which are stored in clear text.
The file is globally-readable, exposing these passwords to great risk.
Another bug notes that encrypted storage would be better, but please at least
set the file mode so that it can only be read by its owner.
The file is re-created every time a connection is edited, so changing the file
mode by hand does not solve the problem. A possible workaround for Linux is:
chmod 700 ~/.ApacheDirectoryStudio
--
This message was sent by Atlassian JIRA
(v6.1.5#6160)
